OpenSSH 6.4 connection to Cisco 6506 routers/switches fails

Loganaden Velvindron loganaden at gmail.com
Fri Jan 10 17:52:56 EST 2014


On Wed, Jan 8, 2014 at 9:30 PM,  <mikep at noc.utoronto.ca> wrote:
> On Wed, 8 Jan 2014, Loganaden Velvindron wrote:
>
>> On Tue, Dec 24, 2013 at 12:52 AM,  <mikep at noc.utoronto.ca> wrote:
>>>
>>> On Wed, 13 Nov 2013, Loganaden Velvindron wrote:
>>>
>>>> On Wed, Nov 13, 2013 at 2:05 AM, Darren Tucker <dtucker at zip.com.au>
>>>> wrote:
>>>>>
>>>>>
>>>>> On Tue, Nov 12, 2013 at 4:40 PM, <mikep at noc.utoronto.ca> wrote:
>>>>>
>>>>>> Just upgraded to OpenSSH_6.4 with OpenSSL 1.0.1e and libz.so.1.2.8.
>>>>>> Now some (but not all) Cisco router logins hang:
>>>>>>
>>>>>> debug1: sending SSH2_MSG_KEXDH_INIT
>>>>>> debug1: expecting SSH2_MSG_KEXDH_REPLY
>>>>>>  [hangs]
>>>>>>
>>>>>
>>>>> Suggestions in approximate order of likelihood.
>>>>>  - the additional KexAlgorithms exceed some static buffer in the Cisco.
>>>>>  Try:
>>>>> "KexAlgorithms
>>>>>
>>>>> diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1"
>>>>>  - you have some kind of path MTU problem and the extra traffic from
>>>>> the
>>>>> additional algorithms pushes you past some packet boundary.  Check the
>>>>> "send-q" column on client and the equivalent on the server and see if
>>>>> they're non-zero and non-decreasing).
>>>>
>>>>
>>>>
>>>> Shouldn't Mike open a ticket at CISCO so that they start fixing the
>>>> software on their side as well ?
>>>
>>>
>>>
>>> Sorry to have taken so long to get back to you about this - your
>>> suggestion
>>> about "KexAlgorithms" caused me to test a lot of combinations to find
>>> what
>>> will work. It turns out the Cisco SSH server only supports a limited set
>>> of
>>> ciphers (this is documented sort-of by Cisco, and is displayed when you
>>> try
>>> to force a non-supported cipher).
>>
>>
>> That's short-sighted coming from them.
>>
>> I have tested and I have the same problem with the latest snapshot. This
>> is very annoying.
>>
>> Do you have a ticket number where I can also chip in ?
>
>
> I have no access to open Cisco tickets, and our local router person who
> does is still away (like most universities, we've been closed for the
> past few weeks).
>
> I'll talk to him when he gets back, but agree this is very annoying.

I can confirm that the issue is present on the CISCO 1841.


>
>
>>> This in turn seems to limit the key exchange mechanisms that will work.
>>>
>>> Forcing a cipher with '-c' also appears to force something in the Kex for
>>> OpenSSH; I can't find anything about Kex in any Cisco docs.
>>>
>>> I have created a special section of the 'ssh_config' file for those
>>> devices
>>> with these options, and all seems to be working fine:
>>>
>>> Ciphers aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
>>> KexAlgorithms
>>> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchan
>>> ge-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
>>>
>>> Thank you for the help!
>>>
>>>
>>>>>> Originally I had 'Cipher blowfish' set in '/etc/ssh/ssh_config', but
>>>>>> removing that makes no difference.
>>>>>
>>>>>
>>>>>
>>>>> That's because Cipher affects only Protocol 1 (which was some time in
>>>>> the
>>>>> past the only version at least some Cisco devices spoke).
>>>>>
>>>>>> However, forcing '-c 3des' does
>>>>>> allow it to work (even though '3des' is supposed to be the default):
>>>>>
>>>>>
>>>>>
>>>>> 3des is the default Cipher Protocol 1.  Protocol 2 takes a list
>>>>> (Ciphers)
>>>>> and its default is
>>>>>
>>>>>                 aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
>>>>>                 aes128-gcm at openssh.com,aes256-gcm at openssh.com,
>>>>>
>>>>> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
>>>>>                 aes256-cbc,arcfour
>>>>>
>>>>> the -c option overrides both.
>>>>>
>>>>> --
>>>>> Darren Tucker (dtucker at zip.com.au)
>>>>> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
>>>>>     Good judgement comes with experience. Unfortunately, the experience
>>>>> usually comes from bad judgement.
>>>>> _______________________________________________
>>>>> openssh-unix-dev mailing list
>>>>> openssh-unix-dev at mindrot.org
>>>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>>
>>>
>>>
>>> Mike
>>> --
>>> Mike Peterson                            Information Security Analyst -
>>> Audit
>>> E-mail: mikep at noc.utoronto.ca                WWW:
>>> http://www.noc.utoronto.ca/
>>> Tel: 416-978-5230                                           Fax:
>>> 416-978-6620
>
>
> --
> Mike Peterson                            Information Security Analyst -
> Audit
> E-mail: mikep at noc.utoronto.ca                WWW:
> http://www.noc.utoronto.ca/
> Tel: 416-978-5230                                           Fax:
> 416-978-6620



-- 
This message is strictly personal and the opinions expressed do not
represent those of my employers, either past or present.


More information about the openssh-unix-dev mailing list